I am sitting in Minneapolis on May 4, 2017. Our host at the conference this morning reminds us that today is "Star Wars" day (May the fourth be with you).
Leading the next session are three key leads from the FDA, so update the attendees on the FSMA IA Rule. Ryan Newkirk, Colin Barthel, and Captain Jon Woody. Collectively they are policy analysts and senior advisors to the FDA Food Defense and Emergency Coordination Staff.
Ryan began with a general overview, calling the IA Rule one of the seven foundational rules for FSMA, but calls this one out as unique. The full name is "mitigation Strategiwes to Protect Food Against Intentional Adulteraion," but it may go by the Food Defense Rule, the Intentional Adulteration Rule, or the already mentioned IA Rule.
Rule making is a rigorous and time consuming process. This one was originally proposed in 2013. After more than 200 comments the final rule was published about a year ago, May 27, 2016.
The rule for the first time establishes requirement to prevent or significantly minimize acts intended to cause wide-scale public health harm. "Act" intended refers to malicious acts, those persons who would intentionally wish to cause harm. The wide-scale public health harm term focuses the rule on major events, distinguishing it from most typical food safety requirements.
The rule covers "registered" entities - those registration requirements have existed for some years. There are business that are not covered, such as farms, and business that are exempt or have lesser, modified requirements, such as small businesses under $10 million in human food sales. Another exemption is holding food - like warehousing.
Then there is an exception to the exception - those dealing with the holding and storage of food in liquid storage tanks.
The main requirement is the creation of an individual food defense plan, with five required components:
Procesudres for food defense monitoring
Food defense corrective action procedures
Food defense verification procedures.
There is also a training requirement in the rule. And similar reanalysis and records requirements as the PC (Preventive Controls) rule.
Compliance dates range from 5 years (July 26, 2021) for very small businesses, to 4 years for small business and 3 years for all others.
There is a plan for additional guidance documents. The work on developing these guidance is going on now. While acknowledging that industry would wish this guidance was already available, it is in development. No prospective dates could be given because of other approvals needed after FDA finishes their documents.
Ryan did indicate that if you print the rule out, that there are many pages of guidance. A lot of questions that they hear are answered in the preamble of the rule.
Two of the most popular tools available today are the Food Defense Plan Builder tool (free downloadable software) and the Food Defense Mitigation Strategies database. Both of these tools are being updated, but dates are not available as these updates are connected to the updated guidance publication.
Colin addressed the design of an inspection and compliance approach that is tailored to the nuances of the IA rule, while conforming to methods that industry is already familiar with.
He described a two level inspectional approach. The first level would be a Food Defense Plan Quick-Check and the second would be a Food Defense Inspection.
The Quick-Check would be conducted as a part of the normal food safety inspection process. This would confirm at a high level that basic components are in place. This would require very little training for the food safety investigators and present a very low burden on agency and industry.
Essentially, this would be a very large scope review, while fairly broad. At a high level, they would not be critiquing the rationale for the plant's vulnerability assessment, or other decisions made during the creation of the food defense plan.
Specialized training for a smaller number of investigators will allow them to take a much more focused inspection, and a much smaller number of facilities. These facilities would be identified by a variety of means for a more rigorous analysis.
This inspection would conduct a dedicated and detailed review of the food defense plan, including evaluating the vulnerability assessment and the mitigation strategies. The advanced training would insure these investigators approach food defense from the same perspective as the industry. In fact, the intention is that the training would be largely the same for both inspectors and industry (more on that later).
Finally, the inspection protocols will be rolled out in a staged implementation timeline, and only after relevent compliance dates pass.
The assurance was that there would be no IA rule investigation checks before the compliance dates. The inference was that in the early days after the compliance dates, only the Quick-Checks might be experienced, in a not-adversarial manner, with no heavy enforcement hand on day one.
These quick checks would help them prioritize, later on, the limited more detailed inspections.
Jon discussed the "third pillar" after guidance and compliance: training.
For many companies this is still a relatively new concept. Today's companies are along a spectrum of knowledge with some that may be well beyond the level of compliance, and others still figuring out what they need to do.
For this reason, training is an integral part of the implementaiton process. Indeed, the FDA has for years been doing online training and workshops, both domestically and internationally.
Jon asked for those familiar wiith the preventive controls FSPCA. They have been operating for six years and are well along with curriculum for preventive controls and other related topics.
Under that same model, FDA has funded FSPCA to establish an intentional adulteration subcommittee. (Jon chairs the subcommittee and this author is a member).
Under this subcommittee will be developed a standardized training curriculum to support the training requirements of the IA rule.
The rule has a "qualified individual" requirement. It is not a strict training requirement, you can be a qualified individual from some combination of training, knowledge and experience. The exception is awareness training required for certain roles.
Different individual roles would be supported by different kinds of training components - from online modules to in person training. Please note that the reuqired awareness training for certain roles and will be supported by an online module offered by the FDA.
Vulnerability Assessments are probably the most technically complex piece of the regulation and does not lend itself well for distance learning. They are envisioning a one day face to face course where they will walk through the elements of a vulnerability assessment and what it looks like to conduct that assessment.
There is a challenge ifor that face to face training to create a cadre of trainer of trainers and lead instructors for this course. The intention is to follow a similar approach as the FSPCA has done for the preventive controls course, including the international outreach component.
There is a likely exception. If an organization chooses to use the four key activity types instead of a vulnerabiltiy assessment (as allowed in the rule), then face to face training would not be required.
Ryan returned to talk about some recurring themes:
Applicability of HACCP=type framework to IA
Questions on terminology are being addressed both through discussions and events such as this one, but also in the guidance documents. But as previously mentioned, the guidance document drafts are not yet available so we will have to stand by.
HACCP is very resource intensive. In particular, the monitoring of many CCPs is virtually continuous. But it is NOT the intent of IA for the monitoring to be continuous - e.g. monitoring a lock on a silo may be daily at the end of a work period.
Similarly, corrective actions can be quite extensive in a food safety context. But in food defense, the corrective actions are expected to be more common sense. It may be as simple as re-locking the unlocked lock (say that three times fast) or buying a new lock to replace one that is rusty.
Finally, there can be fairly few steps appropriate to verification (and no validation). Ryan didn't give an example, but I think this might be a simple, recurring internal audit checklist.
Colin talked to mitigation strategies, and that they do not necessarily require anything more than you are already doing. In the case of existing strategies, or a procedure put in place for another purpose, merely adjust them as needed and document them in food defense plan.
By the way, Colin pointed out that when the guidance documents come out, there will be a comment period similar to the draft rule, where unanswered questions can be addressed.
When will the more in depth inspections occur?
They are going to start with the Quick-Checks (only) and it may a year or two or three before they being the more in depth inspections.
How will an inspector evaluate a mitigation strategy when there could be multiple opinions as to the risk and what mitigations are appropriate?
The threat environment is hard to establish and constantly changing, so the focus will be on the susceptibility of the process step. They are looking for people during the vulnerability assessment to look at the susceptibiliy and the resulting impact, so that industry does not need to be able to assess threats.
Who will perform the inspections, only FDA?
We currently partner with state and other governmental partners for inspectional activities and would partner with them again, through the contractual agreements, to inspect for the IA rule. States would not be compelled to support the IA rule, but would be able within their agreements to support the IA rule.
FPDI, the Food Protection and Defense Institute is presenting their annual conference, the Food Defense Conference 2017 in Minneaplis, MN on May 3 and 4, 2017.